r/k8s-controller: Deploy HAProxy
The _haproxy_ role only installs HAProxy and provides some basic global configuration; it expects another role to depend on it and provide concrete proxy configuration with drop-in configuration files. Thus, we need a role specifically for the Kubernetes control plane nodes to provide the configuration to proxy for the API server.
parent
fd155aab49
commit
727bd178c0
|
|
@ -1,9 +1,8 @@
|
||||||
- hosts: k8s-controller
|
- hosts: k8s-controller
|
||||||
roles:
|
roles:
|
||||||
- role: keepalived
|
- role: k8s-controller
|
||||||
tags:
|
tags:
|
||||||
- keepalived
|
- k8s-controller
|
||||||
- role: kubelet
|
|
||||||
|
|
||||||
- hosts: k8s-node
|
- hosts: k8s-node
|
||||||
roles:
|
roles:
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
dependencies:
|
||||||
|
- role: kubelet
|
||||||
|
- role: keepalived
|
||||||
|
tags:
|
||||||
|
- keepalived
|
||||||
|
- role: haproxy
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
|
@ -0,0 +1,43 @@
|
||||||
|
# SELinux prevents HAProxy (haproxy_t) from reading the Kubernetes root
|
||||||
|
# CA certificate file (kubernetes_file_t). Changing the policy to
|
||||||
|
# allow it would be overly permissive, so we make a private copy of the
|
||||||
|
# file for HAproxy to use.
|
||||||
|
- name: ensure haproxy has a copy of kubernetes ca certificate
|
||||||
|
copy:
|
||||||
|
src: /etc/kubernetes/pki/ca.crt
|
||||||
|
dest: /etc/haproxy/kube-root-ca.crt
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,go=r
|
||||||
|
setype: etc_t
|
||||||
|
remote_src: true
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- ca-cert
|
||||||
|
- name: ensure haproxy is configured for kubernetes apiserver
|
||||||
|
template:
|
||||||
|
src: haproxy.cfg.j2
|
||||||
|
dest: /etc/haproxy/conf.d/40-apiserver.cfg
|
||||||
|
mode: u=rw,go=r
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- haproxy-config
|
||||||
|
- haproxy
|
||||||
|
notify: reload haproxy
|
||||||
|
- name: ensure haproxy can connect to kubernetes apiserver port
|
||||||
|
seboolean:
|
||||||
|
name: haproxy_connect_any
|
||||||
|
state: true
|
||||||
|
persistent: true
|
||||||
|
tags:
|
||||||
|
- selinux
|
||||||
|
|
||||||
|
- name: flush handlers
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: ensure haproxy is running
|
||||||
|
service:
|
||||||
|
name: haproxy
|
||||||
|
state: started
|
||||||
|
tags:
|
||||||
|
- service
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
listen apiserver
|
||||||
|
mode tcp
|
||||||
|
bind *:443,:::443 v6only
|
||||||
|
|
||||||
|
option tcplog
|
||||||
|
|
||||||
|
balance roundrobin
|
||||||
|
|
||||||
|
option httpchk
|
||||||
|
http-check connect ssl
|
||||||
|
http-check send meth GET uri /healthz
|
||||||
|
http-check expect status 200
|
||||||
|
|
||||||
|
{% for server in groups["k8s-controller"] %}
|
||||||
|
server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
|
||||||
|
{% endfor %}
|
||||||
Loading…
Reference in New Issue